From: Jason Ish <ish@unx.ca>
Date: Thu, 21 Dec 2017 00:09:04 +0000 (-0600)
Subject: tls test: based on tls tests in @regit suripcap branch
X-Git-Tag: suricata-6.0.4~555
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f89e89acf149e567c715d5b47d3c15e4ccb52e87;p=thirdparty%2Fsuricata-verify.git

tls test: based on tls tests in @regit suripcap branch

combines "TLS 1" and "TLS alert" into a single test
---

diff --git a/tests/tls/test.yaml b/tests/tls/test.yaml
new file mode 100644
index 000000000..372070119
--- /dev/null
+++ b/tests/tls/test.yaml
@@ -0,0 +1,24 @@
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: tls
+        tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
+        tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.session_resumed: true
+        
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - stats:
+      app_layer.flow.tls: 5
+      app_layer.tx.tls: 0
diff --git a/tests/tls/tls.pcap b/tests/tls/tls.pcap
new file mode 100644
index 000000000..8aca21861
Binary files /dev/null and b/tests/tls/tls.pcap differ
diff --git a/tests/tls/tls.rules b/tests/tls/tls.rules
new file mode 100644
index 000000000..2600511a3
--- /dev/null
+++ b/tests/tls/tls.rules
@@ -0,0 +1 @@
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_issuer; content:"O=Stamus"; sid:1; rev:1;)